|
Description
|
|
Multiple vulnerabilities have been discovered in Zenphoto, which can be exploited by malicious users to compromise a vulnerable system and by malicious people to conduct cross-site scripting attacks.
1) Input passed via the "date" parameter to zp-core/zp-extensions/zenpage/admin-news-articles.php is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.
2) The vulnerability is caused due to the zp-core/admin-upload.php script improperly verifying uploaded files. This can be exploited to execute arbitrary PHP code by uploading a malicious PHP script with multiple extensions.
Successful exploitation of this vulnerability needs an admin account with upload privileges.
3) Input passed via the "redirect" parameter to zp-core/zp-extensions/federated_logon/OpenID_logon.php and zp-core/zp-extensions/federated_logon/Verisign_logon.php is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.
4) Input passed via the "folderdisplay" and "albumtitle" parameters to zp-core/admin-upload.php is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.
5) Input passed via the "error" parameter to zp-core/admin-users.php (when "mismatch" is set to "format") is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.
6) Input passed via the "album" parameter to zp-core/zp-extensions/tiny_mce/plugins/tinyzenpage/tinyzenpage.php is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.
7) Input passed via the "ndeleted" parameter to zp-core/admin-comments.php is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.
8) Input passed via the "data" parameter to zp-core/zp-extensions/GoogleMap/m.php is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.
The vulnerabilities are confirmed in version 1.4.3.3. Prior versions may also be affected.
|
|
|
|
|
|
Vulnerable Products
|
|
Vulnerable Software:
Zenphoto 1.x
|
|
|
|
|
|
Solution
|
|
Update to version 1.4.3.4.
|
|
|
|
|
|
CVE
|
|
|
|
|
|
|
|
References
|
|
Scott Herbert:
http://scott-herbert.com/blog/2012/10/02/cookie-stealing-and-xss-vulnerable-in-zenphotoversion-1-4-3-2-1130
Janek Vind "
waraxe"
:
http://www.waraxe.us/advisory-96.html
Zenphoto:
http://www.zenphoto.org/news/zenphoto-1.4.3.4
|
|
|
|
|
|
Vulnerability Manager Detection
|
|
No
|
|
|
|
|
|
IPS Protection
|
|
|
|
|
|
|
